[gnutls-devel] priority string DHE parameter acceptance

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Nov 5 04:57:20 CET 2013


I'm having some difficulty following the logic behind the way the GnuTLS
priority strings set what the minimum number of bits are required for
the group used for DHE key exchange.

I notice that if i set up a server using 1024-bit DHE, i get a different
response from these two priority strings:

        SECURE256:+VERS-TLS-ALL:+DHE-RSA:+MAC-ALL:+COMP-NULL

  NONE:+SECURE256:+VERS-TLS-ALL:+DHE-RSA:+MAC-ALL:+COMP-NULL

Using the former priority string, connections complete, but using the
latter priority string makes gnutls-cli refuse the connection at
1024-bit DHE.  If the DHE group is larger (2048 bits), both strings
allow connections to complete.

My understanding of the priority string mechanism suggests that the two
strings should have the same behavior.  What am i missing?

I'm using gnutls 3.2.5-1 on debian.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: </pipermail/attachments/20131104/57016b6a/attachment.sig>


More information about the Gnutls-devel mailing list